New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

User slice does not enforce memory limit. #3945

Closed
zstewar1 opened this Issue Aug 12, 2016 · 4 comments

Comments

3 participants
@zstewar1

zstewar1 commented Aug 12, 2016

Submission type

  • Bug report
  • Request for enhancement (RFE)

NOTE: Do not submit anything other than bug reports or RFEs via the issue tracker!

systemd version the issue has been seen with

$ systemctl --version
systemd 231
+PAM -AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN

NOTE: Do not submit bug reports about anything but the two most recently released systemd versions upstream!

Used distribution

Arch Linux

$ uname -a
Linux R6-C9 4.7.0-1-ARCH #1 SMP PREEMPT Mon Aug 8 22:05:58 CEST 2016 x86_64 GNU/Linux

In case of bug report: Expected behaviour you didn't see

I expected a user process launched in a user slice with systemd-run --user --slice=my-user-slice.slice command to have memory limits enforced as specified in the .slice file.

In case of bug report: Unexpected behaviour you saw

Process started with systemd-run --user is able to allocate memory beyond the configured resource limit. With an extremely low (KiB range) memory limit, the process was able to allocate >3.5GiB and effectively freeze the system.

In case of bug report: Steps to reproduce the problem

  1. Create a chrome.slice file in ~/.config/systemd/user:
[Unit]
Description=A slice for chrome, all it's own
Before=slices.target

[Slice]
MemoryAccounting=true
MemoryLimit=10K
MemoryMax=10K
MemoryHigh=5K
  1. Start the slice:
systemctl --user start chrome.slice
  1. Run a process in this slice:
systemd-run --user --description='Google Chrome' --slice=chrome.slice google-chrome-stable
  1. Open a bunch of tabs to high-memory pages like gmail or Google Maps.

Given that the configured limit is for 10KiB, I would expect the process to fail with Out of Memory or just Killed immediately on start-up. (I was trying to configure higher limits than that to avoid letting chrome use up all of my ram). However, even with this "limit" set, Chrome is still able to use up all of my ram and freeze my entire system.

According to systemctl, the chrome processes are running in the chrome slice:

$ systemctl status --user run-rd5181ee093af4d09aaf1cba29c33fe05.service
● run-rd5181ee093af4d09aaf1cba29c33fe05.service - Google Chrome
   Loaded: loaded (/run/user/1000/systemd/transient/run-rd5181ee093af4d09aaf1cba29c33fe05.service; transient; vendor preset: enabled)
Transient: yes
   Active: active (running) since Thu 2016-08-11 23:51:19 EDT; 19min ago
 Main PID: 1889 (chrome)
   CGroup: /user.slice/user-1000.slice/user@1000.service/chrome.slice/run-rd5181ee093af4d09aaf1cba29c33fe05.service
           ├─1889 /opt/google/chrome/chrome
           ├─1894 cat
           ├─1895 cat
           ├─1897 /opt/google/chrome/chrome-sandbox /opt/google/chrome/chrome --type=zygote
           ├─1898 /opt/google/chrome/chrome --type=zygote
           ├─1900 /opt/google/chrome/chrome-sandbox /opt/google/chrome/nacl_helper
           ├─1901 /opt/google/chrome/nacl_helper
           ├─1904 /opt/google/chrome/chrome --type=zygote
           ├─1970 /opt/google/chrome/chrome --type=gpu-process --channel=1889.0.1232237232 --mojo-application-channel-token=C14D3D04F107E287B77989AE32F8218A --enable-features=*
           ├─1984 /opt/google/chrome/chrome --type=gpu-broker
           ├─2042 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2046 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2065 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2075 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2085 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2162 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2218 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2323 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2333 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2385 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2398 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2420 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2430 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2445 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2457 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           ├─2540 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl
           └─2738 /opt/google/chrome/chrome --type=renderer --enable-features=*PreconnectMore<PreconnectMore,UsePasswordSeparatedSigninFlow<PasswordSeparatedSigninFlow --disabl

Aug 11 23:51:19 R6-C9 systemd[492]: Started Google Chrome.
@poettering

This comment has been minimized.

Member

poettering commented Aug 17, 2016

Duplicate of #3744, closing.

@kovetskiy

This comment has been minimized.

kovetskiy commented May 30, 2017

@zstewar1 have you found the way how to set memory limit for systemd service with google chrome? (or may be other ways how to set memory limit for google-chrome)

@zstewar1

This comment has been minimized.

zstewar1 commented May 30, 2017

@kovetskiy No, I just try to keep fewer tabs open, especially ones with high-memory-usage apps.

@kovetskiy

This comment has been minimized.

kovetskiy commented May 30, 2017

@zstewar1 ok, I've found it, first of all need to create slice like as following:

# /etc/systemd/system/limit-512M.slice
[Unit]
Description=Slice with MemoryLimit=512M
Before=slices.target

[Slice]
MemoryAccounting=true
MemoryLimit=512M

then you can run program in that slice and memory accounting will be enabled:

sudo systemd-run --slice limit-512M.slice --scope /usr/bin/sudo -u $username google-chrome-stable

you can set memorylimit to 100M and try to open google maps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment